b'                 U.S. Department of Energy\n                 Office of Inspector General\n                 Office of Audits and Inspections\n\n\n\n\nAUDIT REPORT\nThe Department of Energy\'s Management of\nCloud Computing Activities\n\n\n\n\n DOE/IG-0918                        September 2014\n\x0c                                 Department of Energy\n                                   Washington, DC 20585\n\n                                      September 19, 2014\n\n\nMEMORANDUM FOR THE SECRETARY\n\n\nFROM:                    Gregory H. Friedman\n                         Inspector General\n\nSUBJECT:                 INFORMATION: Audit Report on "The Department of Energy\'s\n                         Management of Cloud Computing Activities"\n\nBACKGROUND\n\nCloud computing enables convenient, on-demand access to shared computing resources that can\nbe rapidly provided to users. The Office of Management and Budget (OMB) established the\nFederal Cloud Computing Strategy because of the significant potential to reduce the cost of\nFederal information technology systems, while improving capabilities and stimulating innovation\nin information technology solutions. As part of this strategy, OMB instituted a "Cloud First"\npolicy designed to accelerate the pace with which cloud computing technologies are adopted and\nused by the Federal government. In December 2011, the General Services Administration, along\nwith other Government bodies, established the Federal Risk Authorization Management Program\n(FedRAMP), a risk-based program designed to provide a standard, centralized approach to\nassessing cybersecurity controls and authorizing cloud computing services for operation. Federal\nagencies had until June 2014, to ensure that all new and existing cloud services met FedRAMP\nrequirements.\n\nIn a prior Office of Inspector General (OIG) report on the Department\'s Management of Cloud\nComputing Services (OAS-RA-L-11-06, April 2011), we concluded that the Department of\nEnergy had not developed policies and procedures governing security and other risks associated\nwith cloud computing and had not adequately coordinated cloud computing efforts. A recent\nreport by our colleagues at the National Aeronautics and Space Administration OIG, NASA\'s\nProgress in Adopting Cloud-Computing Technologies (Report No. IG-13-021, July 2013),\nidentified weakness related to information technology governance, risk management practices\nand security requirements. As a result of issues identified during that audit, a Government-wide\ninitiative was undertaken by the Council of Inspectors General for Integrity and Efficiency to\nprovide insight to agency heads and lawmakers on how well the Federal government has adopted\ncloud computing technologies. In support of that effort, we initiated this audit to determine\nwhether the Department efficiently and effectively managed its cloud computing environment.\n\nRESULTS OF AUDIT\n\nThe Department had not always effectively or efficiently acquired, implemented or managed its\ncloud computing technologies. In particular, we found:\n\x0c   \xe2\x80\xa2   Programs and sites independently acquired and managed cloud computing services\n       valued at more than $30 million. Despite the significant investment and number of\n       programs/sites that utilized cloud services, the Department had not developed and\n       maintained a complete inventory of cloud services to help manage its efforts. While the\n       Office of the Chief Information Officer (OCIO) only reported 44 ongoing cloud\n       initiatives to OMB, our testwork revealed that the Department had initiated at least 130\n       cloud computing efforts at 24 Federal and contractor locations. The lack of visibility into\n       cloud computing efforts was not limited to the OCIO. We also found that program\n       officials were often unaware of individual cloud computing efforts conducted at field\n       offices and sites under their cognizance.\n\n   \xe2\x80\xa2   The Department had not always established contracts with cloud computing service\n       providers that ensured effective controls over the management of stored or transmitted\n       information. Our review of eight contracts at six Federal and contractor locations found\n       that contrary to Federal guidance and best practices, the contracts did not always address\n       key business and cybersecurity risks. For instance, provisions/clauses permitting access\n       to the cloud service provider\'s facilities, operations, documentation and databases by\n       Department personnel were not incorporated into a majority of the contracts. This\n       included the fact that, in many cases, the contracts did not allow for forensic\n       investigations nor did they recognize the OIG\xe2\x80\x99s authority to access facilities to support\n       audits and investigations.\n\n   \xe2\x80\xa2   The Department had not ensured that cloud computing services were implemented in\n       accordance with FedRAMP. While OMB required that agencies utilize cloud service\n       providers that met the cybersecurity requirements of FedRAMP by June 2014, we found\n       that none of the cloud services reviewed had fully implemented these requirements.\n       Notably, three services were in the process of implementing all requirements and\n       obtaining FedRAMP approval. The Department also incorrectly reported to OMB that\n       the majority of cloud services met all FedRAMP requirements even though many of the\n       services had not been approved \xe2\x80\x93 a key step in the FedRAMP process.\n\nThese issues occurred, in part, because the Department lacked a comprehensive strategy\ndesigned to ensure effective and efficient implementation of cloud computing technologies. In\nparticular, programs and sites, including both Federal and contractor organizations, had not\neffectively coordinated efforts when implementing cloud computing initiatives. For instance,\nneither the OCIO nor the program offices had taken sufficient action to identify a comprehensive\nand accurate inventory of cloud computing services used across the complex. In addition,\nofficials had not provided adequate oversight to ensure that programs and sites had taken\nappropriate action to acquire and implement cloud computing initiatives. In many cases, Federal\nofficials had not ensured that programs and sites carried out their responsibilities for meeting\nFedRAMP requirements. Furthermore, programs and sites had not implemented risk\nmanagement processes to ensure that critical oversight controls were in place related to access to\nfacilities and data, establishment of service level agreements used to define acceptable levels of\nservice, and ability to conduct audits and investigations related to cloud computing contracts.\n\nOfficials commented that cloud computing technology is highly dynamic and presents various\nrisks. In addition, certain sites reported that they had realized cost savings through the\n                                                2\n\x0cimplementation of cloud computing services. However, without further improvement, the\nDepartment may not fully realize the potential benefits of adopting cloud computing\ntechnologies. For example, absent effective coordination between programs and sites, the\nDepartment may continue to expend more resources than necessary through the independent\nacquisition and implementation of cloud computing technologies. Moreover, moving systems\nand data into the cloud without an effective strategy, policy or adequate risk management\npractices can result in cloud computing technologies that fail to meet mission needs and key\nbusiness or information technology security requirements.\n\nWhile we recognize that there are challenges to implementing cloud computing services in a\ndecentralized environment such as that which exists within the Department, we made\nrecommendations that, if fully implemented, should help the Department manage its\nimplementation of cloud technologies in a more secure and cost effective manner.\n\nMANAGEMENT REACTION\n\nManagement concurred with the report\'s recommendations and indicated that it had initiated or\nplanned corrective actions to address our recommendations. Management\'s comments and our\nresponse are summarized and more fully discussed in the body of the report. Management\'s\nformal comments are included in Appendix 3.\n\nAttachment\n\ncc:    Deputy Secretary\n       Under Secretary for Nuclear Security\n       Deputy Under Secretary for Management and Performance\n       Deputy Under Secretary for Science and Energy\n       Chief of Staff\n       Chief Information Officer\n\n\n\n\n                                               3\n\x0cAUDIT REPORT ON THE DEPARTMENT OF ENERGY\'S\nMANAGEMENT OF CLOUD COMPUTING ACTIVITIES\n\n\nTABLE OF CONTENTS\n\nAudit Report\n\nDetails of Finding ............................................................................................................................1\n\nRecommendations ............................................................................................................................6\n\nManagement Response and Auditor Comments ..............................................................................7\n\nAppendices\n\n     1. Objective, Scope and Methodology .....................................................................................8\n\n     2. Related Reports ..................................................................................................................10\n\n     3. Management Comments ....................................................................................................11\n\x0cTHE DEPARTMENT OF ENERGY\'S MANAGEMENT OF\nCLOUD COMPUTING ACTIVITIES\n\nDETAILS OF FINDING\nWhile the Department of Energy (Department) had implemented numerous cloud computing\ninitiatives in recent years, our review revealed that it had not always effectively or efficiently\nacquired, implemented or managed cloud computing services. We found that programs and sites\nwere independently acquiring cloud computing services and providers and had not established an\ninventory of ongoing efforts. In addition, the Department had not always established contracts\nwith cloud computing service providers that ensured effective controls over management of the\nDepartment\'s information. Furthermore, the Department had not ensured that cloud computing\nservices utilized met the requirements of Federal Risk Authorization Management Program\n(FedRAMP). Due to the increased use of cloud computing initiatives throughout the Federal\ngovernment, the Office of Management and Budget (OMB) directed that all agencies implement\nthe FedRAMP to standardize the approach to system security and testing and reduce redundancy.\n\nInventory of Cloud Computing Services\n\nWhen working to implement new information technology solutions, programs and sites were\nindependently acquiring and managing cloud computing services and providers. We found that\nthe Department entered into cloud computing contracts valued at more than $30 million at\nnumerous programs and sites. Despite the significance of the ongoing efforts, the Department\nhad not developed and maintained a complete inventory of cloud computing services used by\nprograms and sites. Specifically, while the Office of the Chief Information Officer (OCIO)\nreported that there were only 44 ongoing cloud initiatives, our test work revealed the Department\nhad at least 130 initiatives underway at 24 Federal and contractor locations. OCIO officials told\nus that their information was based on responses to data calls submitted by programs to address\nOMB reporting requirements. However, based on the results of our review, we determined that\nthe number of cloud computing initiatives reported by the Department to OMB was significantly\nunderstated.\n\nEven within programs, officials were often unaware of individual cloud computing efforts\nconducted at their field offices and sites. For instance, Headquarters officials within the Office\nof Science (Science) were unaware of all cloud services acquired at sites and field offices, or\nwhich service providers were used. This was especially concerning because Science maintained\nthe majority of cloud computing efforts within the Department. While management commented\nthat many of the cloud computing efforts were still in the pilot and testing phase, our review\nfocused only on those cloud systems that were operational. In response to our review, Science\nHeadquarters and Argonne National Laboratory officials commented that they plan to leverage\nour results to maintain a program-level inventory of cloud services and providers. Oak Ridge\nNational Laboratory also maintained an inaccurate inventory of service providers at the site.\nSpecifically, contrary to documentation and officials\' responses provided during our review, site\nofficials told us near the end of our audit that one of their systems had been incorrectly reported\nto us as a cloud system. While the lack of an adequate inventory may have limited impact on the\nsite\'s ability to manage security over cloud services, we are concerned that the inconsistent\ninformation provided by the site will further contribute to the inventory weaknesses identified\nwithin the Department. As noted in prior Office of Inspector General reports related to the\n\n\nDetails of Finding                                                                         Page 1\n\x0cDepartment\'s unclassified cybersecurity program, maintaining an accurate and complete\ninventory of systems is needed to plan for and institute appropriate protective measures for\nsystems, especially those that may contain sensitive and personally identifiable information.\n\nCloud Service Provider Contracts\n\nThe Department had not always established contracts with cloud computing service providers\nthat ensured effective controls over the management of the Department\'s information. In support\nof a Government-wide review chartered by the Council of Inspectors General for Integrity and\nEfficiency, we examined a sample of the Department\'s cloud computing contracts to determine\nwhether best practices for acquiring information technology as a service were met, as\nrecommended by the Federal Chief Information Officers Council and the Chief Acquisition\nOfficers Council. 1 In particular, our review of eight contracts at six Federal and contractor\nlocations identified that the contracts did not address or mitigate key business and cybersecurity\nrisks. For instance, contract clauses permitting access to the cloud service provider\'s facilities,\noperations, documentation and databases by Department personnel were not incorporated into a\nmajority of the contracts reviewed. In addition, many of the contracts reviewed did not address\nthe Department\'s ability to conduct forensic investigations, procedures for electronic discovery,\nor the Office of Inspector General\'s right to access facilities to support audits, inspections,\ninvestigations and other reviews. Specifically:\n\n    \xe2\x80\xa2   One contract reviewed did not contain an executed service level agreement with the cloud\n        service provider that defined acceptable service levels, provided performance metrics and\n        outlined enforcement mechanisms. Officials at Argonne National Laboratory had not\n        ensured that performance measures such as uptime percentages, service outages and\n        remedies were specified within contract documentation. Absent such a control, programs\n        and sites would have little or no recourse should the cloud service provider fail to\n        perform as intended.\n\n    \xe2\x80\xa2   A majority of the cloud contracts reviewed lacked required and/or recommended\n        practices, such as those in Federal Acquisition Regulations. In particular, seven of eight\n        contracts reviewed omitted language permitting the Office of Inspector General access to\n        pertinent cloud service records or the ability to interview cloud service personnel\n        regarding Department related transactions.\n\n    \xe2\x80\xa2   An ongoing review at the Bonneville Power Administration revealed weaknesses related\n        to the site\'s procurement contract for a recruiting/human resource cloud service provider.\n        Preliminary test work identified that Bonneville Power Administration\'s contract with the\n        cloud service provider had not included several mandatory clauses and/or best practices\n        such as those related to data ownership rights, inspection, and acceptance. As a result,\n        Bonneville Power Administration exposed itself to unnecessary risk.\n\nWhile we recognize that there are various contracting implications to consider when evaluating\ncloud computing technologies, the purpose of the Government-wide Council of Inspectors\n\n1\n Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a\nService, February 24, 2012.\n\n\nDetails of Finding                                                                                    Page 2\n\x0cGeneral for Integrity and Efficiency review was to, among other things, evaluate contracts\nbetween agencies and cloud service providers to determine whether applicable standards and best\npractices had been appropriately implemented.\n\nFedRAMP Implementation\n\nThe Department had not ensured that cloud computing providers utilized by programs and sites\nmet the requirements of FedRAMP. FedRAMP was established in 2011, by the General Services\nAdministration, along with other Government bodies, to provide a cost-effective, risk-based\napproach for the adoption and use of cloud services by making available a "do once, use many\ntimes" approach. Although OMB required that agencies\' cloud service providers must be\ncompliant with FedRAMP by June 2014, we found that various cloud providers reviewed were\nnot approved and/or had not begun the FedRAMP approval process, to include submission of\nsecurity documentation to FedRAMP.\n\nWhile officials told us that certain cloud services were in the process of becoming approved,\nnone of the cloud services reviewed had yet obtained FedRAMP approval to ensure that security\nauthorizations could be leveraged Government-wide. In addition, we determined that none of\nthe contracts reviewed required approval by the deadline. We found that only one cloud service\nprovider used by several sites reviewed had submitted security assessment packages to\nFedRAMP for inclusion in the repository \xe2\x80\x93 a process designed to reduce the burden of\nduplicative security testing by other organizations. As a result, the lack of implementation may\nlimit the Department\'s ability to realize reduced procurement and operating costs related to\nassessing FedRAMP security controls.\n\nWe also found that the Department did not accurately report progress as part of its quarterly\nsubmissions to OMB. Specifically, based on the OCIO\'s data call instructions, Department\nelements reported that 30 of 44 cloud initiatives met FedRAMP requirements even though the\nservices had not fully implemented requirements and been approved by FedRAMP authorities.\nAlthough one site reported that all 20 of its cloud computing services were compliant with\nFedRAMP, we found no evidence that the services had been approved, which could have\nallowed other organizations to eliminate duplicative testing of the same cloud services.\nSimilarly, while the OCIO noted that one of its cloud service providers was approved, we found\nthat the provider had only initiated the process and had yet to be designated FedRAMP\ncompliant. Furthermore, for those services that were not approved, the Department did not\nidentify and report planned corrective actions to OMB, as required. Absent approval of cloud\ncomputing services, the Department may not meet FedRAMP\'s primary objective of providing a\ncost-effective, risk-based approach to cloud services by leveraging cloud service assessment and\nauthorization activities.\n\nCloud Computing Strategy\n\nThe issues we identified occurred, in part, because the Department lacked a comprehensive\nstrategy designed to ensure effective and efficient implementation of cloud computing\ntechnology. In particular, programs and sites had not effectively coordinated efforts when\nimplementing cloud computing initiatives. Officials also had not provided adequate performance\n\n\n\nDetails of Finding                                                                       Page 3\n\x0cmonitoring to ensure that programs and sites had taken appropriate action to effectively acquire\nand implement cloud computing initiatives. In addition, programs and sites had not adequately\nimplemented risk management processes to ensure that critical oversight controls over cloud\nservice providers were in place.\n\n                                         Coordination\n\nDepartment programs and sites, including both Federal and contractor organizations, had not\neffectively coordinated efforts when implementing cloud computing initiatives. For instance,\nneither the OCIO nor the program offices had taken sufficient action to identify a comprehensive\nand accurate inventory of cloud computing services in use across the complex. Such an\ninventory could have helped establish a baseline architecture and potentially eliminated\nduplication by leveraging cloud acquisition efforts. Although the OCIO issued a request to\nprograms and sites to determine the number of cloud initiatives throughout the Department,\nresponses to the data call were, in many cases, nonexistent. Even when responses were\nprovided, we found that the OCIO had not taken action to validate the results prior to reporting\ncloud computing information to OMB. In addition, although the Department developed\ndocuments such as the Department of Energy National Laboratories and Plants Leadership in\nCloud Computing and the Fiscal Years 2014-2018 Information Resources Management Strategic\nPlan, we found that these documents did not address elements such as FedRAMP requirements\nand/or coordination of programmatic and site cloud computing efforts.\n\nNotably, we observed positive actions designed to increase collaboration among national\nlaboratories and decrease the time spent on contract negotiations. In one case, a blanket\npurchase agreement for a cloud service was negotiated by Lawrence Berkeley National\nLaboratory on behalf of several of the Department\'s programs and sites. Officials told us that the\nagreement included favorable pricing terms that provided the opportunity to decrease the per\nuser license cost as more customers subscribe to the service.\n\n                             Oversight and Risk Management\n\nOfficials had not ensured that programs and sites had taken appropriate action to effectively\nacquire and implement cloud computing services. For instance, contrary to industry best\npractices, Department officials had not established policies and procedures to ensure that\nimplementation of cloud computing initiatives included common considerations such as\ninformation security risks related to privacy, compliance, data location, certification and records\nmanagement. We also found that no guidance existed related to areas such as service level\nagreements, auditing and end-user roles and responsibilities. Although the OCIO developed the\nDOE Cloud Computing Toolkit, in September 2012, to provide limited cloud computing\nguidance, the document does not carry the force of mandate to assist Department officials with\ndeveloping a policy framework, ensuring appropriate coordination or setting strategy based on\nrisks in alignment with the Department\'s enterprise architecture. Further, many program and site\nofficials did not know the toolkit existed or did not utilize the document. Notably, management\ncommented that its cloud computing requirements for the Office of Energy Information\nTechnology Services exceeded FedRAMP requirements in certain instances, such as in the case\nof establishing the trustworthiness of foreign nationals.\n\n\n\nDetails of Finding                                                                         Page 4\n\x0cOfficials also had not ensured that programs and sites, including management and operating\ncontractors, carried out their responsibilities for meeting FedRAMP requirements. For example,\nmanagement and operating contractor officials commented that they were not required to comply\nwith FedRAMP. As such, sites were not working with cloud service providers to update\ncontractual requirements or identify actions needed to address the requirements of FedRAMP for\neach service. A Science Headquarters official commented that without Department policy, it\nwas difficult to enforce the requirements on contractors. However, an OMB memorandum on\nSecurity Authorization of Information Systems in Cloud Computing dictated that FedRAMP\npolicy is applicable to information systems that support operations and assets of the Department,\nincluding those systems provided or managed by other agencies or contractors. These issues\nwere exacerbated by incorrect interpretation of FedRAMP policy by programs and sites,\nincluding certain elements of the OCIO. While OCIO officials stated that FedRAMP policy\nrequired that a Federal cloud service be compliant with security controls established by the\nNational Institute of Standards and Technology, they asserted that services were not required to\nbe certified as a cloud service provider through the FedRAMP process. However, FedRAMP\nofficials stated that cloud service providers must be both compliant with FedRAMP security\ncontrols and approved by FedRAMP authorities.\n\nWe also found that programs and sites had not implemented risk management processes to\nensure that critical oversight controls were in place related to access to facilities and data,\nestablishment of service level agreements and the ability to conduct audits and investigations.\nFor example, while Argonne National Laboratory officials stated that they had discussed the risk\nof moving information into the cloud with Federal officials who accepted the risk as part of the\nLaboratory\'s overall risk management process, we found that items such as a risk assessment and\nrelated mitigating controls were not documented or approved, as appropriate. To its credit, Idaho\nNational Laboratory worked extensively with its authorizing official to ensure that key business\nand cybersecurity risks were evaluated and mitigated as necessary within cloud contract\nprovisions prior to placing the service in operation. According to the National Institute of\nStandards and Technology, placing Federal systems and data into a public cloud poses\nchallenges because the computing environment is under the control of the cloud service provider\nrather than the Department. As such, effective risk management requires establishing contracts\nthat address how a contractor\'s performance will be managed and how cybersecurity, privacy and\ninformation management requirements will be met.\n\nOpportunities for Improvement\n\nWithout improvements, the Department may not fully realize the potential benefits of adopting\ncloud computing technologies, including improved information technology service delivery,\nincreased collaboration and potential cost reductions. In addition, absent effective coordination\nbetween programs and sites, the Department may spend more resources than necessary\nindependently acquiring and implementing cloud computing technologies. Transitioning to\ncloud computing services without an effective strategy, policy or adequate risk management\npractices can result in cloud computing technologies that fail to meet mission needs and key\nbusiness or information technology security requirements. Ultimately, the availability, integrity\nand confidentiality of Federal systems and data may be placed at an unnecessarily high risk.\nFurthermore, continuing on a path of non-compliance with FedRAMP requirements may prevent\nthe Department and its contractors from effectively leveraging ongoing initiatives, resulting in\nduplicative efforts and resources related to implementing security processes and controls.\n\nDetails of Finding                                                                       Page 5\n\x0cRECOMMENDATIONS\nTo improve the management and coordination of cloud computing activities, we recommend that\nthe Under Secretary for Nuclear Security, the Deputy Under Secretary for Management and\nPerformance and the Deputy Under Secretary for Science and Energy, in coordination with the\nDepartment\'s and National Nuclear Security Administration\'s Chief Information Officers:\n\n   1. Establish a cloud computing strategy in accordance with FedRAMP requirements that\n      includes effective coordination of programmatic and site efforts and development of an\n      inventory of cloud computing services.\n\n   2. Ensure effective oversight over cloud computing efforts, including development and\n      implementation of policies and/or procedures related to the acquisition, implementation\n      and security of cloud computing services that:\n\n          a. Ensures contracts with cloud service providers include, among other things,\n             language related to service level agreements, auditing and roles and\n             responsibilities;\n\n          b. Clarifies discrepancies between the Office of the Chief Information Officer and\n             FedRAMP related to approval of the Department\'s cloud service providers in\n             accordance with Federal requirements; and\n\n          c. Provides direction ensuring that the Department and its management and\n             operating contractors implement systems in accordance with applicable\n             FedRAMP requirements.\n\n   3. Ensure key business and security risks related to implementation of cloud computing\n      services are adequately evaluated, mitigated and documented.\n\n\n\n\nRecommendations                                                                        Page 6\n\x0cMANAGEMENT RESPONSE\nManagement concurred with each of the report\'s recommendations and indicated that corrective\nactions were initiated or planned to address the issues identified. For example, the Department\nestablished an Information Management Governance Board that will be leveraged to align and\ncommunicate cloud strategy and requirements to support the Department\'s mission and\nobjectives. In addition, management commented that the Department will continue to develop,\nevaluate and revise guidance regarding service level agreements, auditing and roles and\nresponsibilities, including the use of standard contractual clauses. Management also indicated\nthat the Department is working with the FedRAMP Program Management Office to clarify the\nrequirements for FedRAMP compliance and approval for the Department\'s cloud computing\nservices.\n\nAUDITOR COMMENTS\nManagement\'s comments and planned corrective actions were responsive to our\nrecommendations. Management\'s comments are included in Appendix 3.\n\n\n\n\nManagement Response and Auditor Comments                                                Page 7\n\x0c                                                                              APPENDIX 1\n\n                   OBJECTIVE, SCOPE AND METHODOLOGY\nObjective\n\nThe objective of this audit was to determine whether the Department of Energy (Department)\nefficiently and effectively managed its cloud computing environment.\n\nScope\n\nThe audit was performed between January and September 2014, at Department Headquarters in\nWashington, DC and Germantown, Maryland; the Argonne National Laboratory in Argonne,\nIllinois; the Fermi National Accelerator Laboratory in Batavia, Illinois; the Idaho National\nLaboratory in Idaho Falls, Idaho; the Lawrence Berkeley National Laboratory in Berkeley,\nCalifornia, and the Oak Ridge National Laboratory in Oak Ridge, Tennessee. We reviewed\ncloud computing activities for various program offices, including the Offices of Nuclear Energy,\nScience, Fossil Energy, Environmental Management, the Chief Information Officer, as well as\nthe National Nuclear Security Administration. The audit was conducted under Office of\nInspector General Project Number A14TG017.\n\nMethodology\n\nTo accomplish our objective, we:\n\n   \xe2\x80\xa2   Reviewed applicable laws, regulations and directives related to cloud computing.\n\n   \xe2\x80\xa2   Reviewed relevant reports issued by the Office of Inspector General and the Government\n       Accountability Office.\n\n   \xe2\x80\xa2   Reviewed best practices and Office of Management and Budget memoranda pertaining to\n       cloud computing activities such as the Federal Risk and Authorization Management\n       Program.\n\n   \xe2\x80\xa2   Judgmentally selected a sample of cloud services for a detailed review. We selected\n       eight services from cloud computing initiative surveys that were completed by the\n       Department\'s program offices. Our selection criteria included the cost of the service,\n       number of users and whether the service had been placed into production.\n\n   \xe2\x80\xa2   Reviewed relevant documentation such as cloud contracts, terms of service, service level\n       agreements and non-disclosure agreements.\n\n   \xe2\x80\xa2   Held discussions with field site officials and officials from various Departmental offices\n       responsible for cloud computing activities and cloud acquisition and contracting.\n\nWe conducted this performance audit in accordance with generally accepted Government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\n\n\nObjective, Scope and Methodology                                                          Page 8\n\x0c                                                                              APPENDIX 1\nbased on our audit objective. We believe the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objective. Accordingly, we assessed significant\ninternal controls and compliance with laws and regulations to the extent necessary to satisfy the\naudit objective. In particular, we assessed the Department\'s implementation of the GPRA\nModernization Act of 2010. Although the Department had established certain overarching\nperformance goals subsequent to our audit work, none of the sites evaluated had established\nperformance metrics specific to the acquisition and use of cloud computing services. Because\nour review was limited, it would not necessarily have disclosed all internal control deficiencies\nthat may have existed at the time of our audit. We did not rely on computer-processed data to\nsatisfy our audit objective.\n\nAn exit conference was held with Department management on September 12, 2014.\n\n\n\n\nObjective, Scope and Methodology                                                          Page 9\n\x0c                                                                             APPENDIX 2\n\n                                 RELATED REPORTS\nOffice of Inspector General\n\n   \xe2\x80\xa2   Audit Report on the Department\'s Management of Cloud Computing Services, (OAS-RA-\n       L-11-06, April 2011). The report identified areas that the Department of Energy\n       (Department) should consider before it moves forward with adopting such cloud\n       computing technology on a large scale. Specifically, we noted several opportunities for\n       improvement in the Department\'s cloud computing initiatives. For instance, the\n       Department had not yet prepared policies and procedures governing security and other\n       risks or established coordination requirements among sites to prevent duplication or other\n       problems with cloud computing initiatives.\n\nGovernment Accountability Office\n\n   \xe2\x80\xa2   Report on the Progress Made but Future Cloud Computing Efforts Should be Better\n       Planned, (GAO-12-756, July 2012). The report stated that selected Federal agencies\n       have made progress implementing the Office of Management and Budget\'s "Cloud First"\n       Policy. Consistent with this policy, each of the seven agencies incorporated cloud\n       computing requirements into their policies and processes. During the review, the\n       Government Accountability Office identified seven common challenges associated with\n       the implementation of Office of Management and Budget\'s "Cloud First" Policy,\n       including acquiring knowledge and expertise, as well as certifying and accrediting\n       vendors.\n\n   \xe2\x80\xa2   Report on Federal Guidance Needed to Address Control Issues with Implementing Cloud\n       Computing, (GAO-10-513, May 2010). According to the report, cloud computing can\n       both increase and decrease the security of information systems in Federal agencies. As\n       such, Federal agencies had begun efforts to address information security issues for cloud\n       computing, but key guidance was lacking and efforts remained incomplete. Although\n       individual agencies identified security measures needed when using cloud computing,\n       they had not always developed corresponding guidance. For example, only nine agencies\n       had approved and documented policies and procedures for writing comprehensive\n       agreements with vendors when using cloud computing.\n\nNational Aeronautics and Space Administration\n\n   \xe2\x80\xa2   Audit Report on NASA\'s Progress in Adopting Cloud-Computing Technologies (Report\n       No. IG-13-021, July 2013). The National Aeronautics and Space Administration\'s\n       (NASA) information technology governance and risk management practices impeded the\n       Agency from fully realizing the benefits of cloud computing and potentially put systems\n       and data stored in the cloud at risk. For example, NASA officials moved systems and\n       data into public clouds without the knowledge or consent of the Agency\'s Office of the\n       Chief Information Officer. Moreover, on five occasions, NASA acquired cloud-\n       computing services using contracts that failed to fully address the business and\n       information technology security risks unique to the cloud environment.\n\n\nRelated Reports                                                                        Page 10\n\x0c                                            APPENDIX 3\n\n                      MANAGEMENT COMMENTS\n\n\n\n\nManagement Comments                              Page 11\n\x0c                      APPENDIX 3\n\n\n\n\nManagement Comments        Page 12\n\x0c                      APPENDIX 3\n\n\n\n\nManagement Comments        Page 13\n\x0c                      APPENDIX 3\n\n\n\n\nManagement Comments        Page 14\n\x0c                                        FEEDBACK\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We aim to make our reports as responsive as possible and ask you to consider sharing\nyour thoughts with us.\n\nPlease send your comments, suggestions and feedback to OIGReports@hq.doe.gov and include\nyour name, contact information and the report number. Comments may also be mailed to:\n\n                              Office of Inspector General (IG-12)\n                                     Department of Energy\n                                    Washington, DC 20585\n\nIf you want to discuss this report or your comments with a member of the Office of Inspector\nGeneral staff, please contact our office at (202) 253-2162.\n\x0c'